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I I Abstract 

The iterative consensus problem requires a set of processes or agents 
>^ with different initial values, to interact and update their states to even- 

tually converge to a common value. Protocols solving iterative consensus 
serve as building blocks in a variety of systems where distributed coor- 
dination is required for load balancing, data aggregation, sensor fusion, 
filtering, clock synchronization and platooning of autonomous vehicles. 
^ In this paper, we introduce the private iterative consensus problem where 

agents are required to converge while protecting the privacy of their ini- 
tial values from honest but curious adversaries. Protecting the initial 
states, in many applications, suffice to protect all subsequent states of the 
\l individual participants. 

f — . First, we adapt the notion of differential privacy in this setting of 

iterative computation. Next, we present a server-based and a completely 
^Nj distributed randomized mechanism for solving private iterative consensus 

with adversaries who can observe the messages as well as the internal 
^ states of the server and a subset of the clients. Finally, we establish the 

• ^ tradeoff between privacy and the accuracy of the proposed randomized 

mechanism. 



1 Introduction 



This paper addresses the problem of reaching agreement in a group iterativcly 
while preserving individual's privacy. The setup consists of N agents, each with 
some initial information modeled as the valuation of a variable. The problem 
requires the agents to interact v^ith each other and update their internal states, 
so that eventually they all converge to a common decision or value. This agree- 
ment to a common decision can then be used for coordinating the actions of 
the participating agents. Indeed, this iterative consensus has been used as a 
building block for designing a variety of distributed coordination protocols for 
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load balancing [51 [53] , filtering and sensor fusion [THl [21] , clock synchronization, 
and flocking d [H [HI HI [B] , to name a few. 

A natural, synchronous, and widely studied consensus mechanism involves, 
at each round, for every agent to update its state as a weighted average of 
its own value with values of its neighboring agents. This update rule can be 
expressed as x{t + 1) = Px{t), where x{t) is the vector of agent values and 
P is a symmetric N x N matrix with P^- defining the communication weight 
between agents i and j. It turns out that this class of consensus mechanism^ 
converge to the average of the initial values of the agents and a measure of the 
speed of convergence is given by the second largest eigenvalue in absolute value 
of the matrix P. More general necessary and sufficient conditions for achieving 
consensus with synchronous mechanisms, including cases where the matrix P 
is time-varying, have been studied in [211 HZ] (see the book for a complete 
overview [14j). Sufficient conditions for achieving consensus with message delays 
and losses has been developed in [551 IS] and more recently, a theorem prover- 
based verification framework for these mechanisms has been presented in [151 
[S]. Furthermore, stochastic variants of the convergence mechanism under the 
presence of communication noises has been studied in [S^l [H] . 

In this paper we study the private consensus problem which requires the 
agents to preserve the privacy of their initial values from an adversary who 
can see all the messages being exchanged, while also achieving convergence to 
the average of the initial values. The notion of privacy used in this paper is 
derived from the idea of differential privacy, first introduced in [5] (see [H] for 
a survey) in the context of "one-shot" computations on statistical databases. 
Roughly speaking, differential privacy ensures that the removal (or addition) of 
a single participant from a database does not affect the output of any analysis 
substantially . It follows that an adversary looking at the output of any analysis 
cannot threaten to breach the privacy and security of individual participants. 

In [lOj . the notion of differential privacy is expanded along two dimensions. 
First, it included streaming and online computations in which the adversary can 
look at the entire sequence of outputs from the analysis algorithm. Secondly, 
it allowed the adversary to look at the internal state of the algorithm (Pan 
privacy) in addition to the communication messages. 

This work is motivated by closed-loop applications where the output of the 
analysis is used as a feedback by the participating agents in updating their states. 
As a starting point in this investigation, we use a client-server setup for iterative 
consensus. The clients are the agents with private initial values. In each round, 
the clients send some information to the server based on their current state, the 
server updates its own state based on clients' information and sends feedback to 
the clients. Finally, the clients update their state according to some local control 
law based on the server's feedback. The clients require to converge, while their 
initial values should be protected from any honest but curious adversary with 
access to the messages (between the clients and the server) as well as the server's 

^We refrain from calling these mechanisms algorithms because they are designed to con- 
verge and not to terminate. 
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internal state. We call this the Synchronous Private Consensus (SPC) problem. 

In many distributed control systems, protected initial information imply 
protection of the current state. For example, consider a platoon of vehicles 
which require to move as a group with the same speed, while keeping their 
positions private. If the agents use a solution to the SPC problem for deciding 
on the common speed, then their initial velocities as well as their positions will 
be protected even if their initial positions and control laws are compromised. 

In Section [3] we propose a randomized mechanism for solving the SPC prob- 
lem. The key idea is to add a particular type of random noise to the clients' 
messages to the server. Specifically, for a client with internal state 0{t) at round 
t, the message it sends to the server is 9{t) + r]{t) where ri{t) is a random (real) 
number chosen according to a Laplace distribution with a parameter that decays 
geometrically with t. In contrast, the noise values added in [10] for implement- 
ing an approximate online counter are always chosen from the same Laplace 
distribution. The feedback y{t) provided by the server is the mean of the noisy 
messages it receives. And, the clients update their states by taking a linear 
combination of y{t) and their earlier state. This weighted average is an example 
of a simple type of client dynamics. 

In Section |4j we generalize the client-server mechanism to a distributed set- 
ting where the adversary can access the messages and the states of a subset 
of compromised clients. The mechanism guarantees differential privacy of the 
good clients and we derive a sufficient condition for convergence based on the 
communication pattern of the clients. 

As randomization is used for achieving privacy, this mechanism guarantees 
convergence to the average in a probabilistic sense: Given a probability b and a 
radius r, we say that the mechanism is {b^r)- accurate if from any initial state, 
with probability (1 — &) the system converges to a value within r distance of the 
average. In Section [5] we discuss the tradeoff between privacy and accuracy. 
There are two parameters in the definition of the mechanism which can be 
chosen to get different levels of privacy and accuracy. If these parameters are 
tuned to obtain e-differential privacy, then we show that the accuracy that can 
be achieved is {b,0{-^^^). That is, the accuracy radius depends inversely on 

privacy level (e) and the accuracy probability (1 — 6), and directly on y/N . 

The rest of the paper is organized as follows. In Section [2] we introduce the 
synchronous private consensus problem, and then formally define differential 
privacy, convergence, and accuracy. In Sections |3] and |4j we present and analyze 
the client-server and the distributed mechanisms for SPC. In Section |6j we 
compare our work with existing research papers in this area. In Section [7j we 
summarize our results and discuss possible future directions. 

2 Preliminaries 

For a natural number e N, we denote the set {1, . . . , A^} by [A]. For an 
S*- valued vector of length A^, and i £ [N], we denote the i*^ component by 6*^. 



3 



The mechanisms presented in this paper rely on random real numbers drawn 
according to the Laplace distribution. Lap{b) denotes the Laplace distribution 
with probability density given hy pL{x\b) = ^e"'^'/^. This distribution has 

mean and variance 2b^. For any x, y G M, ^^l^j^j < . 
2.1 Problem Statement 

We state the synchronous private consensus ( SPC ) problem in the following set- 
ting. The system consists of N clients with private initial values 6i{0), ... ,9^(0) 
and one server. The clients and the server may have internal states and they 
communicate over channels. In each round, there are four phases: First, the 
clients send some messages to the server; next, the server performs computa- 
tions to update its state; then it responds to the clients with some messages, 
and finally, the clients smoothly update their own internal states based on the 
response from the server. 

Several vulnerabilities threaten to compromise the private initial values of 
the clients: (1) An intruder can have full access to all the communication chan- 
nels. That is, he can peek inside all the messages going back and forth between 
he clients and the server. Furthermore, (2) the intruder can access the server's 
internal state. 

Roughly, a randomized mechanism for the clients and the server solves the 
synchronous private consensus problem if eventually all the clients converge to 
the average of their initial values with high probability and it guarantees that 
the intruder cannot learn about the initial private client values with any high 
level of confidence. We proceed to precisely define accuracy, convergence, and 
privacy. 

Our definition of privacy is a modification of the notion of differential privacy 
introduced in [TU] in the context of streaming algorithms. Let 8 C E be the 
domain of individual internal states and messages. 

Definition 1 (Adjacency). Two vectors 9,9' e 8^ are 5-adjacent, for some 
S > 0, if there exists one i G [N], such that \9i — 9'^\ < S and for all j ^ i, 
9,^9'^. 

Definition 2 (Differential Privacy). Let 8^ C he the domain of global 
state equipped with metric m{-,-). Let X be the set of all possible message 
sequences and Y be the set of all possible sequences of internal states of Alg . 
A randomized mechanism preserves e-differential privacy if for all sets X' Q X 
and Y' C Y , and for all pairs o/ (5-adjacent initial global states 6, 6' G 8^ 

Pr[A\g{9) G {X',Y')] < e'^Pr[Alg{9') G {X',Y')]. 

We use the standard mean square notion of convergence which has been used 
in the context of consensus protocols [TT] . Let 9^ (t) G M be the local states of 
agent Ai at the beginning of round t. 9i{0) denotes the secrete initial state of 

A. 
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Definition 3 (Convergence). A randomized mechanism is said to converge if 
for any initial configuration, for any i,j £ [N], limt_>.oo E[(9i{i) — 6j{t)Y] = 0, 
where the expectation is over the coin-flips of the algorithm. 

Definition 4 (Accuracy). For any initial state 0{Q), b E [0,1] and r e M>o 
a randomized mechanism is said to achieve (6, r) -accuracy if every execution 
starting from 9{0) converges to a state within r of di{0), with probability 

at least 1 — 6. 

Our goal is to design a solution to the SPC problem that guaranteed to be 
converge. In addition, for an adversary, looking at all a sequence of messages 
passing through the channels as well as a sequence of internal states of the server 
(and possibly some of the clients), the probability of executions corresponding 
to adjacent initial local states and these sequences have to be related by the 
Equation in Definition [3j 

3 A Client-Server Mechanism and its Analysis 

In this section, we present a randomized mechanism for solving the synchronous 
private consensus problem. This mechanism has three parameters ct S (0, 1), c 
and q e (0, 1). The mechanism is specified by the following client and server 
actions which define the four phases of each round. Let T = {0} U N be the 
infinite time domain. At each round i g T: 

(i) Client i sends a message Xi{t) — 9i{t) + rii{t) to the server, where r]i[t) is 
a random noise generated from the distribution Lap{cq*). 

(ii) The server updates its own state as the average of all client messages 

(iii) The server sends y{t) to all clients. 

(iv) Client i updates its state by linearly interpolating between 9i{t) and y{t) 
with coefficient ti, that is, 

e,it + l)^il-a)0,{t)+ay{t). (1) 

3.1 Analysis 

For t E T, let 9{t) = [9i{t), . . . , ON{t)]'^ be the vector defining the state of the 
clients at the beginning of round t. Similarly, ri{t) and x{t) are vectors for 
noise and messages. An execution of the mechanism is an infinite sequence 
of the form a = 0{O), (ry(0), a;(0), y(0)),9{l), (77(1), x(l), y(l)), . . .. Observe that 
given a initial vector 9{0) and the sequence of noise vectors 77(0), 77(1), . . ., the 
execution of the system is completely specified. That is, for all i G T, it defines 
the messages x{t),y{t), the internal states of the clients 9{t) and that of the 
server y{t). Thus, for brevity we will sometimes write an execution a as an 
infinite sequence of the form 0(0), 77(0), 6'(1), 77(1), .. .. The prefix of a upto 
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round T G T is denoted by ut- We denote the set of possible executions from 
9{Q) as Execse(o). 

For a given execution a, the adversary can observe the subsequence of mes- 
sages x{t),y{t) and the server's state y{t). We denote this subsequence by 
a 4, {x,y). Hence, two executions a and a' are indistinguishable to an adver- 
sary if a 4, (x, y) = a' \. {x, y). For a set of observation sequnces Ohs, the set of 
all possible executions from ^(0) which correspond to some observation in Ohs 

is the set Execse(o).o6s = {a G Execs0(o)|Q! i {X,Y) e Ohs}. We restate the 
definition of differential privacy in this context. 

Definition 5 (Differential Privacy). A randomized mechanism preserves e- 
differential privacy if for any set of observation sequnces Ohs, and any pairs 
of 5 -adjacent initial global states 6{{)),9'{Q) G 0^ 

Pr[Execse(o)^Obs] < e"'Pr[ExecS(,,(o),o6s]- (2) 

Lemma 1 (Privacy). For q G (1 — cr, 1), the mechanism guarantees e- differential 
privacy with e = ^(q+a-i) ■ 

Proof. Let 9{Q) and 9' {0) be arbitrary (5-adjacent initial global states. Without 
loss of generality, we assume that for some k G [N], 9k{0) = 6*^(0) + S. Fix any 
subset of observation sequences 06s. We will show that Equation ^ holds by 
establishing a bijective correspondence between the executions in Execs0(o),O6s 
and Execs0/(o), obs- For brevity, we denote these sets by A and A' . 

First, we define a bijection f : A A! . For a G A defined by the sequence 
7y(0), 77(1), . . ., we define /(a) ^ 0'(O), (77'(0), x'(0), y'(0)), 0'(1), (r;'(l), x'(l), 2/'(l)), 0'(2), . . ., 
where for each i G T, 

, , ^ f ?7i(i) +(5(1 - cr)* fori = fc, 
" 1^ riiit) otherwise. 

a;'(t) = 9'{t) + ry'(i), y'(i) = i ^^^jj^, a;'(i), and for i > & {t) = (1 - a)0'(t - 
1) 4- ay' (t). Clearly, f{a) is a valid execution of the mechanism staring from 
0'(O). 

The following proposition relates the states and the observable vectors of 
two corresponding executions. 

Proposition 2. For allteT, ie [N], 

(i) 9,(t)-9',{t) = 8{\-ar, 

(11) 9,{t)=9[{t),'ii^k 
(Hi) x[{t) = Xi(t), 

(iv) y'{t)=y{t). 
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Proof. The proof is by induction on t. For the base case t — 0, observe that 
for z = k, x^(0) = ^^(O) + 77^(0) = 0,{O)-S + 77,(0) + (5 = x,(0), otherwise, 
^^(0) = ^^(0) + 77^(0) = 0,{0) + 77,(0) = x,(0); 

For the inductive step, assume that the proposition holds for all t < T. From 
Equation[lJ we have 6'^(T +!) = (!- a)0',^{T) + ay'{T) and 9k{T +!) = (!- 
a)0k{T)+ay{T). The difference of these two equation gives e[{T + l)-ek{T+l) 

= (1 - a){e',{T) - e,{T)) + a{y'{T) - y{T)) 

For any other client i ^ k, immediately from that y'{T) — y{T) and 9[{T) = 
BiiT), we have 0i{T + 1) = 6',(T + 1). 

Now we consider the clients' reports x{T+l). For the k*^ client, x'j.(T + l) = 
e'^iT+l)+r,i{T+l) = (?,.(r+l)-^(l-a)^+i+77,(r+l)+^(l-a)^+i = x,iT+l). 
For the other client I 9^ k, x'^{T+l) = 9'i{T+l)+r]i{T+l) = 0,iT+l)+r],{T+l) = 
Xi{T + 1). So the reports x'{T + 1) = x{T + 1). The match up of the server's 
internal state immediately follows. □ 

Parts {Hi) and {iv) of the above proposition establishes that a and /(a) are 
indistinguishable, that is, indeed they produce the same observation sequence. 

Next we will relate the probability of any finite prefix of an individual ex- 
ecution a E A, and its corresponding execution /(a) G A\ for a particular 
observation sequence /3 G Ohs: 

Pr[aT = e{0),...,e{T)] 



Pr[{J{a))T^e{Q),...,e{T)] 

< II e ^ =||e^i^). 

Integrating over all executions a G A, we get 
Pr[aT = 0{0),...,e{T)]d^i 

T-1 „ 

< He'^i^^y Pr[{f{a))T = e'{0),...,6'{T)W, 

where d^ and dfi' are probability measures over A and A' defined by the ran- 
domized mechanism. If g S (1 — cr, 1), then as T — > 00, the product converges to 
e"', where e = c{q+a-i) ' ^^"^ ^® obtain the required inequality for e-differential 
privacy. 

Pr[Execse(o),06s] < e"'Pr[Execse/(o),of-s]- 

□ 
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Lemma 3 (Convergence). The mechanism described above achieves conver- 
gence. 

Proof. We define a global potential function P : N ^ M>o as P{t) = \ Y.t^j[^i{i)~ 
ej{t)f. Using the matrix notation P{t) = e{tY L e{t), where L e M^^^ with 
elements: 

IH i) = ( f3) 
^ \ —1, otherwise. ^ ' 

The transition rule for the internal state of the i*^ client can be written as: 

where — J2iVi{t). The update rule for all the agents can be written as 
e{t + 1) = e{t) - §Le{t) + §10(1)1^. Then, 

P{t + 1) ^9{t + l)^Le{t+l) 

= m) - §Le{t) + §wit)lNfL 

= Pit) - 2§e{tfLLe{t) + ^e{tfLLLe{t) (5) 

+2^w{t)e{tYLlN - '^w{t)e{tYLLlN 

= P{t) - 2§9{t)^LL0{t) + ^0{t)'^LLL0{t). 

By Equation |3] we have L = NI^^ — Inn- So in this particular case, we have 
LL = {NIn - Inn)^ = N^In - 2N1nn + 1%n = N^^n - NInn = NL. 
Similarly LLL = N'^L. Substitute the previous equation into Equation ([s]) we 
get, 

P{t + 1) = (1 - 2ct + a^)Pit) = aP{t), 

where a — {1 — cr)^. For all cr £ (0, 1), a e (0, 1) is a constant. Thus we have as 
t — > oo, P(t) converges exponentially to 0, which implies convergence. □ 

From Equation Q, each agent adds an identical random variable ■^w{t) to 
its local state in round t. Although the average value drifts with this random 
variable, the relative distance between local states will not be affected. As a 
result, the mechanism converges deterministically. 

Lemma 4 (Accuracy). For any b G (0, 1), the randomized mechanism achieves 
(b, ^/2eCT A) -accuracy. 

Proof. This is a special case of a more general proof we show later. Please see 
the proof of Lemma [s] with d ~ particularly for this case. □ 

In this section we proposed an solution to the centralized synchronous con- 
sensus problem and formally established its privacy, convergence and accuracy 
properties. We will discuss the trade-offs between privacy and accuracy in Sec- 
tion |5] 



8 



4 A Distributed Mechanism 



In this section, we present a second synchronous randomized mechanism for 
solving the private consensus problem which does not use a server but instead 
relies on the clients exchanging information with their neighbors in a truly 
distributed fashion. Let G — {[N]^£,) be a undirected connected graphs where 
[TV] is the set of vertices and £ C [N] x [N] is the set of edges. Let N{i) = {j G 
[iV]|(i,j) G £} be the set of neighbors of node i with whom it communicates. 
Let |iV(j)| be the degree of node i in G. 

As in the previous setting, an intruder has access to all the communication 
channels as well as the internal states of a set G of compromised clients (but 
cannot overwrite them). Our mechanism will protect the privacy of clients 
who are not compromised. Thus, in this context, Definition [5] is modified by 
restricting the notion of (5-adjacency to uncompromised agents. 

Now we state a mechanism to solve the distributed SPC problem. Besides the 
state variable 6i which holds the consensus value, client i holds another auxiliary 
state Hi. The mechanism has parameters a £ (0, 1)^, c and g e (0, 1). Instead 
of sharing an identical linear combination factor, client i has an independent 
Ui G (0, 1) which is the i^^ element of vector a. At each round i > 0: 

(i) Client i sends a message Xi{t) = 9i{t)+r]i{t) to every j G N{i), where r]i{t) 
is a random noise generated from the distribution Lap{cq*). 

(ii) Client i updates yi as the average of Xi{t) and the messages it receives: 



(iii) Client i updates 6i by linearly interpolating between 9i{t) and yi{t) with 
coefficient Ui, that is, 

e,{t + i) = [i-Gi)e^{t) + a^v,{t). (7) 



4.1 Analysis 

The analysis of the distributed mechanism parallels the analysis presented in 
Section [3j An execution a is defined similar to the centralized setting except 
that y{t) in this case is a vector rather than a scaler. The privacy of those 
corrupted nodes makes no sense. Let C C IN' be the set of corrupted nodes. 

Lemma 5 (Privacy). For g G (1 — cr„j, 1), where a„i is the minimum element of 
vector a, the distributed mechanism guarantees e- differential privacy with respect 
to the uncorrupted nodes with e — _]^) • 

We omit the proof of Lemma [5] as it is a straight forward generalization of 
the proof of Lemma [T] 
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In contrast to Lemma [Sj the convergence of the distributed mechanism de- 
pends on the structure of graph G. Before stating the convergence result, we 
introduce Laplacian matrix L of graph G with elements: 

K^,3) = { -1 (*,j)e£, (8) 

otherwise. 

The Laplacian matrix L for any graph is known to have several nice properties. 
It is by definition symmetric with real entries, hence it can be diagonalized by 
an orthogonal matrix. It is positive semidefinite, hence its real eigenvalues can 
be ordered as Ai < A2 < . . . < Aat be the eigenvalues of L. Furthermore Ai = 
and A2 > if and only if the graph is connected. Let {vi, V2, ■ ■ ■ , vn} be a set 
of orthonormal eigenvectors of L such that Vk corresponds to Afc . In addition, 
denote di = ^j^^^^^^i ■ We state a sufRcient condition of convergence as following. 

Assumption 1. Assume that graph G has the following properties. 

(I) A2 > 0, that is graph G is connected. 

(II) Xn < where m = inf^g^jv] di and M = supjgjjy] di. 

Lemma 6 (Convergence). The distributed mechanism described above achieves 
convergence if Assumption^ holds. 

Proof. We define a function P : N i-> M>o as 

Pit)- 1 E m)-9,it)r- 

(»j)e£ 

Using the matrix notation P{t) = 0(t)^ L 9{t). By Assumption |T| E[P{t)] ^ 
^ J2t^j E[9i(t)~ej{t)]'^ = 0. According to Equation ^ and ([iff the update 
equation of client i is: 

e,{t+l)^ {l-d,\N{im{t) + d.j:,eNir)(^jit) 

+diW,{t), ^ ' 

where 

w,{t)= '^'W- (10) 

J6JVC0U{»} 

We define vector w{t) — [u'i(i), . . . ,WN{ty\^ and matrix D e M^^^ with ele- 
ments: 

d{i,:j) = ( J' Vt-^' . (11) 

^ ' [0, otherwise. ^ ' 

The update rule for all the agents can be written as 9{t + 1) = 9{t) — DL9{t) + 
Dw{t). Then, P{t + I) 

= 9{t + l)^L9{t + l) 

= {9{t) - DL9(t) + Dw{t))^L{0(t) - DL9{t) + Dw{t)) , . 

= P{t) - 20{tfLDL9{t) + 9{tfLDLDL9{t)+ ^ > 

2e{tY{I - DL)LDw{t) + w{tYDLDw{t). 
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Taking expectation of both sides with respect to the coin flips of the algorithm 
starting from any state: 

E[P{t+l)] ^E[P{t)]-E[Q{e{t))]+E[wit)^DLDw{t)], (13) 

where, 

Q{e) = 2e^LDL9 - e^LDLDL9. 
The term E[29{t)'^{I - DL)LDw(t)] vanishes because (i) e{t) and w(t) are 



independent; and (ii) by Equation (10), w{t) has zero mean 



Now we will prove that there exists a constant a G (0, 1) such that Q{6{t)) > 
aP{t). Because L is positive semidefinite, we have < L < X^I. From As- 
sumption [T] and Equation (11), we have ml < D < MI. Then, 



Q{e) > 2me'^LLe - X^e'^LDDLe 

> 2m0'^LLe - XNAPe'^LLO (14) 

> {2m - XNM^)e'^LL0. 

The following proposition helps obtain a bound on a. 
Proposition 7. For any 9 £ M^, e'^LLB > X20'^Le. 

Proof. First, we show that the proposition holds for any eigenvector Vk of L. 
For the eigenvector vi corresponding to Ai = 0, we have vfL = and the 
inequality holds trivially. For any other eigenvector Vk and the corresponding 
eigenvalue Afc > 0, we have v^LLvi^ — XkV^Lvk > X2V^Lvk. Next, we prove 
that the proposition holds for any vector 9. Because {vi,V2, . . . ,vpf} is an 
orthonormal basis, for any i ^ j, vf LLvj — XjvfLvj = X^vfvj = 0. For any 
^ = J2k&\N] ctkVk, we have: 



9^LL9 = (EfeG[7V] <^^kVkVLL{J2ke[N] ^kVk) 
^ke[N] ^k^k - 



> ^2 EfcGfATi alv^Lvk = X29^L9. 



□ 



From Equation (14), then it follows that 

Q{e{t)) > X2{2m- XNM^)P{t). 

Thus, for any a < min(A2(2rn - XnM^),1), the inequality Q(9{t)) > aP{t) 
holds. Also, by Assumptionn] X2{2m — XjsjM"^) > 0. Then, for some a e (0, 1), 
Equation ([T3| is reduced to 

E[P{t + 1)] < (1 - a)E[P{t)] + E[w{tY DLDw{t)] 
< (1 - a)E[P(t)] + XNM'^E[w{tYw{t)]. 

As i — > oo the contribution of the first term converges to 0. For the second 
term, recall that each element of w(t) is a linear combination of i.i.d rji(t) ~ 
Lap{cq'). For i ^ j, E[i^,{t)T^,{t)] = E[Ti,{t)]E[r^j[t)] = 0. For any i, E[T^,{tf] = 
Var{r]i{t)) — 2c^g^*, which also converges to 0. So E[w{t)'^w{t)] -> as t oo. 
Combining, we have E[P(t)] ^ as i — > oo. □ 



11 



In general, the expected consensus value of the distributed algorithm does 
not coincide with the initial average. Intuitively, a node with higher degree or 
slower evolution will have heavier weight on the consensus value. In this context. 
Definition |4] is modified by replacing the average ^(0) = jjj^i^ii^) ^i^^i a 
weighted modification ^(0) = , where the weight — j: — ^'^^^J^'^^ . 



Lemma 8 (accuracy). The distributed mechanism achieves {b, —^==^)- accuracy, 
where d=^4^^^. 

Proof. Let us fix an initial state 6(0) and define 0{t) — ^iJ'^'^*^ and w{t) = 
^' . We rewrite Equation ^ with 

1^0^{t + 1) = ^Mt) - \N{i)Mt) + + ^^{t)■ 

Add up all N equations and divided by 7*' S^^- 

t 

e{t + 1) = 9{t) + w{t) = 9{0) + w{s). 

s=0 

From the definition of w{t) and Equation ( [To| , we have 

Var{j:^^w,{t)) Far(E,(|iV(z)| + 1)77,(0) 



Var{w{t)) 



Var{r^,{t))Y.^{\N{i)\ + l) 



2 



,2„2t 



By q € (0; 1), the series converges. 

2dc 



2dc^q 



t CO r, 7 2 



VariY ^(.s)) < VariY *(«)) = f _ 2 ' 

S=0 5-0 

By Chebyshev's inequality for any t > 0: 

Pr(\0{t) - ^(0)1 < r) = 1 - Pr(| ^ w(s)| > r) > 1 - ^''''^^s=oMs)) ^ 



r^ 

s=0 



Choosing r = ^'''"'^^1=° "^'^ ^ - , , we have 1 - Pr{\J2l-nw{s)\ > 

r) > 1 — 6. Let t — > cxd, by Lemma |6] every execution converges. Then the 
lemma follows. □ 

The trade-off between accuracy and privacy of this mechanism is similar to 
that of the client-server mechanism of Section [3] and we discuss them together 
next. 
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5 Discussion on Results 



We proposed two mechanisms that achieve iterative private consensus over in- 
finite horizon by adding a stream of noises to the messages set by the chents 
(to each other or to the server). The standard deviation of the Laplace distri- 
bution of the noise added in every round decreases and ultimately converges to 
Lap(0) which is the Dirac 6 distribution at 0. The mechanisms have 3 param- 
eters: linear combination factor a, initial noise c and noise convergence rate q. 
The constraint to achieve privacy over infinite horizon is that q > 1 — cr, which 
roughly means that the noise should converge slower than the system's inertia 
so as to "cover" the trail of dynamics. 

From Lemma [l] and [5] we observe that e decreases with larger c or q. This 
implies that the system has a higher privacy if the noise values are picked from 
a Laplace distribution with larger parameters (and hence larger standard devi- 
ation). From Lemma |4] and |8j however, a more dispersive noise results in worse 
accuracy. The tradeoff between privacy and accuracy for different noise conver- 
gent rate (q) is illustrated in Figure[T] If we fix the parameter q, we observe that 
for e-differential privacy for N agents and an accuracy level of b the accuracy 
radius r is 0{ ^J^ ). For specific values on these parameters, the dependence 
between e and r is shown in Figure [T] 

Figure 1: Privacy and Accuracy as functions of the Noise convergent rate in 
the centralized mechanism. Parameterized with ~ 500, a — 0.8, c = 10 and 
13 = 0.5. 




q 



6 Related Work 

Our consensus mechanism has similarities with the protocols for computing sum 
and inner product presented in [Tj, in that, all these protocols rely on adding 
noise to the states communicated among the participants. Our mechanism dif- 
fers in the type of noise (geometrically decaying Laplace) that is added. More- 
over, in our setup, the computed outputs are used as feedback for updating the 
state of the participants to achieve convergence. 

In [7] a framework for securely computing general types of aggregates is 
presented. Every client splits its private data into pieces and sends them to 
different servers. If at least one server is not compromised, then the iterative 
aggregate computation is guaranteed to preserve privacy of the individuals. Our 
mechanism is quite different and it guarantees privacy even if the only server is 
compromised. 
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In [5S], the authors present distributed protocols for computing k maxi- 
mum values among all participants. In this protocol, the clients communicate 
a global vector of fc-maximum values over a ring network. In each step, the 
client processing the global vector either with an exponential decaying prob- 
ability honestly replaces the values in global state if it is smaller than one of 
the local values, or it replaces the values in the vector with randomly generated 
small numbers. The metric of privacy is Loss of Privacy which characterizes 
the additional knowledge to the adversary of gaining intermediate result besides 
the final results. This work is setup with quite different definition of privacy 
compare to ours. In addition, some features of our mechanism, such as feedback 
update and infinite horizon, are not presented in this protocol. 

7 Conclusions and Future direction 

In this paper, we formalize a Synchronized Private Consensus problem and pro- 
pose two mechanisms for solving it. The first one relies on the client-server 
model of communication and the latter is purely distributed. The key idea is to 
add a random noise to the clients' messages to the server (or other clients) that 
is drawn from a Laplace distribution that converges to the Dirac distribution. 
The messages with large noice give differential privacy and as the noise level at- 
tenuates, the system converges to the target value with probability that depends 
inversely on the security parameter and directly in the number of participants. 
The feedback y{t) from the server is the mean of all noisy messages sent. And, 
the clients update their states by taking a linear combination of y(t) and their 
previous state. We formally prove the privacy and convergence of this mech- 
anism. The key proof technique for privacy, relies on constructing a bijective 
map between two sets of executions starting from different but adjacent initial 
states. 

To the best of our knowledge this is the first investigation of differential 
privacy in the context of control systems where the ultimate goal is convergence. 
Our results suggest several directions for future work. First, we are trying to 
apply our method to a larger set of control problems that arise from iterative 
closed- loop control. Novel applications of this arise from differential privacy and 
more generally security of distributed cyber-physical systems where the physical 
state is updated smoothly according to some differential equations. 

Second, we also interested in exploring the tradeoff between privacy and 
performance under more general dynamics of the system. In the SPC problem 
we discussed, the dynamics of the system is discrete and linear. We expect to 
extend the analysis to continuous or non-linear systems. Also, establishing a 
lower bound for the problem will be of significance. 

An orthogonal direction is to develop automated verification and synthesis 
algorithms for controllers that preserve differential privacy. Along these lines, 
a verification framework for streaming algorithms has been presented in [31 [20] ■ 
The challenge will be to extend these ideas to synthesis and feedback control 
systems. 
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